External Embed

This component is used to display a large iframe containing third-party content in a menu item. You can use it, for example, to embed a report from an external system.

Security Considerations

You can safely embed untrusted content as long as it has a different origin from your Softadmin® system. On the other hand any content with the same origin as the system is able to escape the iframe and run scripts inside your system!

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Definition_of_an_origin

There are two mitigations:

  1. Require the Softadmin®-system to have its own subdomain that it does not share with any other services. Even if the system owner has untrusted content on other servers it will always be treated as from a different origin.
  2. Don't allow end users to administer the URLs used by the component. That way you, as a developer, can ensure that only trusted content is embedded by carefully evaluating each URL.

SQL

SQL Call: Get IFrame (mandatory)

May modify database: No

Resultset: IFrame Data

Table count: repeated exactly once
Row count: exactly one row
Columns
SourceUrl mandatory string
The URL to show in the frame. The URL must be an absolute URL, not a relative one. This column must be the first column in the table.
FrameHeight optional int
The frame's height in pixels. By default the frame will be tall enough to reach the bottom of the window.
HasScrollbar optional bit
Whether the frame has a scrolllbar. The default is true. Only disable the scrollbar if you are certain the embedded content will fit inside the frame.
<colname> optional string
Additional columns are appended to the URL as query string parameters.

SQL Call: Validate parameters

Allows you to validate the parameters supplied by the user before any other SQL is run in the component. This call is only made if the component has visible parameters, the SQL is a stored procedure, and Validate parameters is checked.

May modify database: No

Parameters

@Force bit
Set to 1 if the last call to validate parameters used admin_force and the user clicked OK in the OK/Cancel dialog.
@ValidateParams bit
Set to 1 when this call is made.

Resultset: Messages (optional)

Table count: repeated zero or one time
Row count: zero or one row
Columns
ADMIN_Force optional string
Message asking the end user to confirm their parameters.
ADMIN_Message optional string
Message explaining why the parameters are rejected.

InfoSQL

See the InfoSQL documentation for details.

Custom access control and logging

SQL Call: Custom access control and logging

Use this call to restrict which entries a user is allowed to view and edit, and to log which entries a user views.

Access to a menu item is normally controlled through functions and roles alone but some entities need more fine grained control. For example, a user may have access to the View Member menu item for normal members but not for members with a protected identity.

The menu items a user visits are always logged (in ADMINLogMenuItem) but for sensitive data you may need to log exactly what entries are viewed. Do the logging in this call as the common ways of viewing data (grid and InfoSQL) are not allowed to modify the database.

If you bind a scalar function instead of a stored procedure to this call then its name must end with '_GrantAccess'.

May modify database: Yes

Resultset: Access permissions

Return whether the user is allowed to visit the menu item with the current parameters.
Table count: repeated exactly once
Row count: exactly one row
Columns
GrantAccess mandatory bit
1 if the user is allowed to view the menu item, 0 if the user should not be allowed to view the menu item.

If 0 then an error will be logged as the user should not have been able to reach the menu item with the given parameters in the first place.

Querystring parameters

menuitemheading optional
String that replaces the menu item name when the menu item is loaded. It does not replace the name before that (like for example in the navigator). It is ignored if the menu item is displayed as a part in a multipart in which case the name can be set from the multipart procedure.

Examples

IFrame with arguments

An IFRAME where some query string parameters are hardcoded in the URL and some are varied.

SELECT
	'https://documentation.softadmin.com/softadmin.aspx?id=5' AS SourceUrl,
	'External+Redirect' AS Component